A Security Focus on China Outsourcing

Business process outsourcing (BPO), such credit card transactions, medical claims data entry and financial transactions, has been around for a number of years. The act of outsourcing these functions offshore to India has become increasingly more viable since a great amount of progress has been achieved in developing the information security framework to protect customer data.

Many of the risks in outsourcing to India based companies have been mitigated through trial and error along with the adoption of best practices emerging from all parts of the globe. Over the past 7-10 years, many security risk analysis and reviews have resulted in controls being implemented in most facets of security: administratively, physically and technically. Contracts now have the appropriate language to protect sensitive data and physical security measures have been built to align with the client’s company policies and standards. The technical measures continue to build upon a strong foundation built in partnerships with government and outsourcing firms.

As we gain the benefits of this maturing environment, it becomes increasingly challenging for the India based outsourcers to remain competitive in the world economy. Many outsourcers realize this issue and have turned to China for the answers.

As businesses attempt to keep variable cost structures intact and operational costs down, China presents itself favorably. India based outsourcers are starting to reduce their costs by outsourcing your BPO process to China to remain cost competitive and offset client defection. This change allows them to remain competitive in the world economy but this places a big question back on the security risks we have started to overcome with India over the past few years. No matter which way this outsourcing arrangement occurs, one point remains the same-¦ new data distribution points means increased risk and exposure for companies and their customers until they are reassessed.

On the surface the BPO outsourcing appears as a reduction in the cost associated with the outsourcing partner. From an information security perspective, red flags should pop up early, especially in the review process, to question the cost savings and how it will be achieved in light of potential increases in due diligence and due care. Information security brings enormous value to the table since part of our mantra is to ensure that businesses can truly keep those cost savings it expects while maintaining the proper security posture.

There will be many challenges ahead for information security professionals in the investigating, identifying and mitigating outsourcer outsourcing to China. One challenge will require more in-depth analysis of the outsourcing company’s business practices, methods, policies and even gaining insight into the contracts that managed their third party. In some cases, the arrangement is buried under layers of legal entities and companies incorporating in countries that pool the labor force in China. Another challenge will be determining and implementing the increased audit requirements necessary to comply with your regulations and information security best practices. This is the “hidden” cost associated with maintaining appropriate security levels for your organization, especially since there is an increase in the distribution of your business process data.

To stay one step ahead of the trend, here are some key areas that can implemented to assist your business in managing the risk associated with government sponsorship, censorship and implementation of security controls:

1) Communicate expectations: China is a new player in the world economy and likewise is a new player in the world information security space. Remind your business leaders that the same amount of attention we shared with India will be required with China in order to weave the fundamental information security policies and requirements in to fabric of its government and business law.

2) Research Chinese business laws: work closely with your legal team to determine the Chinese requirements placed upon your outsourcer. The findings should translate into service levels and capabilities in your new/existing contracts.

3) Establish due diligence depth: work closely with your legal, compliance and outsourcing team to build the appropriate depth to your due diligence analysis.

4) Understand government monitoring: China monitors and filters content to and from its population. The monitoring of encrypted traffic, such VPN, secure web transactions and file transfer should be identified to make sure that the outsourcers contractual commitments align with your expectations.

5) Explore government encryption keys access: China business laws may require access to encryption keys used to send and receive data to other countries. Determine how this access will occur and its implications on your existing key policies and procedures.

6) Investigate security breach notification: inquire about the security breach process with issues that may emerge from inside China’s borders. If a physical or technical breach occurs, you will need to determine if government censorship will prevent or filter disclosure. This can impact you ability to remain compliant with regulations in other countries.

7) Develop sourcing awareness: provide your sourcing team with the information necessary to design your outsourcing contracts so that they align with your industry requirements appropriately. This can also provide them the tools necessary to identify an information security caution flag which will allow you to engage early in the contract process to assist in building security-aware agreements.

Overall, if this trend in outsourcing continues there will be many new categories showing up in your transitional risk analysis, such as censorship, government laws, and restrictions. Getting ahead of these items and building a scalable process to handle them will bring efficiencies to your assessment process. This will build awareness earlier in your engagement process that can provide the appropriate balance to mitigating identified risks. In the end your customers will silently thank you for it.

Rick Lawhorn (CISSP, CISA, CHSS, CHP, TCNP) is a Principle of Information Security & Compliance at Dataline, Inc. He has served as CISO at GE Financial Assurance & Genworth Financial and has over 16 years of experience in information technology.